Log into Snowflake as a user with either the ACCOUNTADMIN or SECURITYADMIN role.

Create users, if they do not already exist, that match the users that you created in your IdP.

Important

Make sure to use the email address for your IdP users as the login name for your Snowflake users. If you already have existing users in Snowflake, you can use the
ALTER USER command to set their login name to match their email address. For example:

ALTERUSERjsmithSETLOGIN_NAME='john.smith@abccorp.com';

In addition, you should consider creating (or altering) users so that they have no password in Snowflake. This effectively disables Snowflake authentication for these users and requires them to
log in using federated authentication. Note that this isn’t a strict requirement, but is highly recommended. For more details, see Managing Users with Federated Authentication Enabled.

To enable an IdP for federated authentication, Snowflake requires the following information from the IdP:

Authentication certificate.

URL endpoint for SAML requests.

In addition, you must specify the type of IdP used for authentication (OKTA, ADFS, or CUSTOM). You can also optionally specify the label for the IdP button displayed on the Snowflake login page.

This information is specified through the SAML_IDENTITY_PROVIDER account parameter. This parameter accepts a JSON object, enclosed in single quotes, with the following fields:

{"certificate":"","ssoUrl":"","type":"","label":""}

Where:

certificate

Specifies the certificate that verifies communication between the IdP and Snowflake. This certificate (signed using the RSA 256 algorithm) is generated by the IdP. Include the certificate body only (omit the header/footer) on a single line.

ssoUrl

Specifies the URL endpoint where Snowflake sends the SAML requests. This endpoint is IdP-specific and is determined by the IdP during configuration. For example:

Login URL for ADFS, which is usually the IP or FQDN of your ADFS server with /adfs/ls appended.

type

String literal that specifies the IdP used for federated authentication. Possible values are:

"OKTA"

"ADFS"

"Custom" (for all other IdPs)

label

Specifies the button text for the IdP in the Snowflake login page. The default label is SingleSignOn. If you change the default label, the label you specify can only contain alphanumeric
characters (i.e. special characters and blank spaces are not currently supported).

Note that, if the "type" field is "Okta", a value for the label field does not need to be specified because Snowflake automatically displays the Okta logo in the button.

To set the parameter, as a user with the ACCOUNTADMIN role, execute an ALTER ACCOUNT command:

The following example sets Okta as the IdP for your account (with abccorp as your Okta account name):

Snowflake provides a preview login page in the web interface that can be used to test Snowflake-initiated login before rolling it out to all your users on the main login page. Once you have set
the SAML_IDENTITY_PROVIDER account parameter to enable SSO, you can go to the following URL to access the preview page:

If your account is in US West: https://<account_name>.snowflakecomputing.com/console/login?fedpreview=true

If your account is in any other Snowflake Region: https://<account_name>.<region_id>.snowflakecomputing.com/console/login?fedpreview=true

The button for logging in via the IdP for your account (Okta, ADFS, or custom) is displayed on the preview page.

Note

This step is optional, but highly recommended to ensure the feature is working as expected before rolling it out to your users.

Snowflake provides an account parameter, SSO_LOGIN_PAGE, for enabling Snowflake-initiated login on the main login page. You must set this parameter to TRUE (default value is
FALSE) to complete the federated authentication configuration for your account. After setting this parameter, when users go to the main login page, the button for logging in via the IdP for your
account (Okta, ADFS, or custom) is displayed.

To set the parameter, as a user with the ACCOUNTADMIN role, execute the following ALTER ACCOUNT command: